Important This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Adding or editing an external event filter

  1. Open the External Event Filters page by navigating to Admin > Network Admin > External Events.
  2. Perform one of the following actions:
    • To define a new external event filter, click Add.
    • To view or change an existing external event filter, select the external event filter and click Icon_Edit.png.
       For example, the event filter in the figure below is used to trigger the Auto Archive policy when a potential configuration change has been made by an external user.

      EditExtEventFilter.png
  3. Enter or update the information in the following fields:
    • Name: Specify a unique name for the filter.
    • Enabled: (Optional) Uncheck to disable the filter.
    • Source: Select Syslog or Check Point for the source of the external event.

    • Filter: (Optional) Specify one or more syslog text strings that, when matched, are categorized, logged and processed as the selected Event Type (for example, Configuration Changes) for the device.

      The string should be in the form of a regular expression, with .* at the beginning and end when needed to match arbitrary text at the edges. See Grammar-field-metacharacters for a summary of regular expression metacharacters.

      If the syslog message contains a username, enclose that part of the regular expression in parentheses (). TrueSight Network Automation extracts the username out of the message so that it can track external changes back to the originating user.

      For example, an IOS syslog message that looks like this: %SYS-5-CONFIG_I: Configured from console by johndoe on vty0 (10.1.1.51) Would be matched by this regular expression, with extraction of the username: .SYS-5-CONFIG. by (\S+) on.*

      Notes

      • Filters should be ordered with more-specific expressions first, so that TrueSight Network Automation can make the best match. When you add new filters, they are added to the end of the list.

        For example, Cisco IOS can emit the configuration change message used in the preceding example with or without a user name. The expression that matches the version that includes the user name should be in the list ahead of the version that matches the message without a user name. Otherwise, TrueSight Network Automation does not extract the user name, as it stops at the first match.
      • Failure to extract a username from a syslog message does not harm the TrueSight Network Automation system in any way. Not all syslog messages include a username. The Auto Archive and other policies trigger regardless of whether or not usernames are successfully captured. The captured username is displayed as the originator when configuration information is displayed (such as in the Change Summary report).
    • Event Type: Select an Event Type for this filter. The Event Type is used by the policy Keywords and defines how the event is logged in the Event Log.
    • Incoming Severity: Select the syslog severity of the event for filter matching.
  4. Click Save to save your changes to the external event filter.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*